Understanding Windows CardSpace

Written by Vittorio Bertocci, Garrett Serack and Caleb Baker, all of whom were part of the original CardSpace project, the book is deeply grounded in the theory and technology that came out of it. At the same time, it is obviously their personal project. It has a personal feeling and conviction I found attractive.

The presentation begins with a problem statement – “The Advent of Profitable Digital Crime”. There is a systematic introduction to the full panoply of attack vectors we need to withstand, and the book convincingly explains why we need an in-depth solution, not another band-aid leading to some new vulnerability.

For those “unskilled in the art”, there is an introduction to relevant cryptographic concepts, and an explanation of how both certificates and https work. These will be helpful to many who would otherwise find parts of the book out of reach.

Next comes an intelligent discussion of the Laws of Identity, the multi-centered world and the identity metasystem. The book is laid out to include clever sidebars and commentaries, and becomes progressively more McLuhanesque. On to SOAP and Web Services protocols – even an introduction to SAML and WS-Trust, always with plenty of diagrams and explanations of the threats.

Then we are introduced to the concept of an identity selector and the model of user-centric interaction.

Part two deals specifically with CardSpace, starting with walk-throughs, and leading to implementation. This includes “Guidance for a Relying Party”, an in-depth look at the features of CardSpace, and a discussion of using CardSpace in the browser.

The authors move on to Using CardSpace for Federation, and explore how CardSpace works with the Windows Communication Foundation. Even here, we're brought back to the issues involved in relying on an Identity Provider, and a discussion of potential business models for various metasystem actors.

Needless to say, much of what's covered in this book applies to Higgins and OpenInformationCard and Bandit as well as CardSpace.

Above all, it is a readable book that balances technology with the broader issues of identity. I imagine almost anyone who reads this blog will have something to gain from it. I especially recommend it for people who want a holistic introduction to digital identity, CardSpace and web services. I think the book is excellent for students. I even expect it will be enjoyed by more than one policy maker who wants to understand the underlying technical problems of identity.

So check it out, and let me know what you think.

[By the way: One chapter of the book is now online as a stream of html text, but I'd avoid it. The printed layout and interplay of commentaries add both life and interest…]